Bug 53546 - Update port: graphics/xpdf (includes security fix)
Summary: Update port: graphics/xpdf (includes security fix)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Doug Barton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-06-20 10:50 UTC by Hideyuki KURASHINA
Modified: 2003-07-01 08:20 UTC (History)
1 user (show)

See Also:

Attachments
file.diff (852 bytes, patch)
2003-06-20 10:50 UTC, Hideyuki KURASHINA 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hideyuki KURASHINA freebsd_committer freebsd_triage 2003-06-20 10:50:17 UTC 
	Similar to ports/53479, xpdf before 2.02pl1 contains a vulnerability
	that is possible to construct a malicious URL link in a PDF file
	which causes an arbitrary command to be run.

	From xpdf 2.02pl1, allowable characters to be used in URL strings
	are based more strict policy. In former releases, xpdf does filtering
	single quotation marks (') and double-quotation marks ("), but not
	back-quotation marks (`).

	See following references for details.

	  Xpdf, Current version 
	    http://www.foolabs.com/xpdf/download.html
	  [Full-Disclosure] -10Day CERT Advisory on PDF Files
	    http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html
	  Xpdf Information for VU#200132
	    http://www.kb.cert.org/vuls/id/IAFY-5MQRU8

Fix: Update xpdf port as follows;

How-To-Repeat: 
	N/A (I couldn't reproduce this vulnerability).
Comment 1 Norikatsu Shigemura freebsd_committer freebsd_triage 2003-06-20 11:07:17 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->dougb

Over to maintainer.
Comment 2 tkato 2003-06-25 14:12:59 UTC 
Additional Changes:
- Fix PORTVERSION format
- Remove useless files/patch-aa

diff -urN /usr/ports/graphics/xpdf/Makefile graphics/xpdf/Makefile
--- /usr/ports/graphics/xpdf/Makefile	Sat Apr 12 22:49:55 2003
+++ graphics/xpdf/Makefile	Mon Jun 23 22:49:43 2003
@@ -6,11 +6,12 @@
 #
 
 PORTNAME=	xpdf
-PORTVERSION=	2.02
+PORTVERSION=	2.02.1
 CATEGORIES=	graphics print
 MASTER_SITES=	ftp://ftp.foolabs.com/pub/xpdf/ \
 		${MASTER_SITE_TEX_CTAN}
 MASTER_SITE_SUBDIR=	support/xpdf
+DISTNAME=	${PORTNAME}-${PORTVERSION:R}pl${PORTVERSION:E}
 
 MAINTAINER=	DougB@FreeBSD.org
 COMMENT=	Display PDF files, and convert them to other formats
@@ -24,6 +25,7 @@
 
 USE_GMAKE=	yes
 GNU_CONFIGURE=	yes
+CONFIGURE_TARGET=	--build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
 CONFIGURE_ENV=	CPPFLAGS="-I${LOCALBASE}/include" \
 		LDFLAGS="-L${LOCALBASE}/lib"
 CONFIGURE_ARGS=	--with-gzip --enable-opi --with-x \
diff -urN /usr/ports/graphics/xpdf/distinfo graphics/xpdf/distinfo
--- /usr/ports/graphics/xpdf/distinfo	Sat Apr 12 22:49:56 2003
+++ graphics/xpdf/distinfo	Mon Jun 23 22:45:16 2003
@@ -1 +1 @@
-MD5 (xpdf-2.02.tar.gz) = fb54402d98fb834e5778163cfc238b44
+MD5 (xpdf-2.02pl1.tar.gz) = e2932bb0f844d8318c940350c2aa2eb6
diff -urN /usr/ports/graphics/xpdf/files/patch-aa graphics/xpdf/files/patch-aa
--- /usr/ports/graphics/xpdf/files/patch-aa	Mon Feb 11 11:26:25 2002
+++ graphics/xpdf/files/patch-aa	Thu Jan  1 09:00:00 1970
@@ -1,19 +0,0 @@
---- configure.in.orig	Fri Feb  1 15:15:45 2002
-+++ configure.in	Sun Feb 10 17:42:52 2002
-@@ -193,6 +193,16 @@
- if test "$xpdf_cv_func_mkstemp" = yes; then
-   AC_DEFINE(HAVE_MKSTEMP)
- fi
-+dnl # Ditto mkstemps()
-+AC_CACHE_CHECK([for mkstemps],
-+xpdf_cv_func_mkstemps,
-+[AC_TRY_LINK([#include <stdlib.h>
-+#include <unistd.h>],     
-+[mkstemps("foo", 0);],
-+xpdf_cv_func_mkstemps=yes, xpdf_cv_func_mkstemps=no)])
-+if test "$xpdf_cv_func_mkstemps" = yes; then
-+  AC_DEFINE(HAVE_MKSTEMPS)
-+fi
- 
- dnl ##### Check select argument type: on HP-UX before version 10, select
- dnl ##### takes (int *) instead of (fd_set *).
Comment 3 Doug Barton freebsd_committer freebsd_triage 2003-07-01 08:20:24 UTC 
State Changed
From-To: open->closed


I just committed the update to this port, thanks.